NZ Privacy Act Checklist for AI Delivery Teams

For implementation teams, privacy compliance must be embedded in architecture and operating procedures, not added at release time.

Delivery checklist

Data collection and purpose

• Document why each data field is required for the workflow.
• Remove fields that do not support the stated purpose.
• Separate operational identifiers from model features where possible.

Access and security controls

• Enforce role-based access boundaries.
• Apply encryption in transit and at rest.
• Keep an auditable log of access and policy changes.

Data quality and correction

• Define processes for correcting inaccurate records.
• Track source-of-truth ownership per dataset.
• Monitor freshness and completeness for high-impact workflows.

Transparency and accountability

• Provide internal documentation on model use in decision paths.
• Define human review points for higher-risk outputs.
• Record escalation and incident response ownership.

Retention and disposal

• Set retention windows by data type and risk tier.
• Implement deletion workflows that include derived stores.
• Verify disposal controls during periodic audits.

Practical implementation pattern

Treat privacy as a build-time and run-time concern:

1. include controls in design reviews,
2. enforce release gates in CI/CD,
3. validate controls in operational reviews.

References

• New Zealand Privacy Act 2020
• Office of the Privacy Commissioner (NZ)